Internet Sellout

Demand Unearned Rewards

Harden IIS

Unless you are running ancient IIS this should apply to most versions.

IIS Manager
HTTP Response Headers
X-Frame-Options SAMEORIGIN
HTTP Options
IIS Manager
Request Filtering
HTTP Verbs

Weak SSL Ciper
IISCrypto.exe third party tool
Just press the 'Best Practices' button and reboot.
Autocomplete Enabled on Password Field
Edit ASP.NET Login Pages
Edit login template (may have to turn asp:Login into template to see child controls)
<asp:TextBox ID="Password" runat="server" AutoCompleteType="Disabled" autocomplete="off" TextMode="Password"></asp:TextBox>

You would think AutoCompleteType="Disabled" would do it but ultimately I have no idea what it does.
Thankfully autocomplete="off" gets preserved if you just drop it in.
Secure Flag on Cookies
ASP.NET Website web.config
Add these SSL attributes where needed:
 <httpCookies requireSSL="true" />
 <authentication mode="Forms">
  <forms loginUrl="Login.aspx" defaultUrl="Default.aspx" requireSSL="true" />
 <anonymousIdentification enabled="true" cookieRequireSSL="true" />
 <roleManager enabled="true" defaultProvider="CustomRoleProvider" cookieRequireSSL="true">

I would have prefered to do this in the root Web.Config to get this to work but I could not.
For development I sometimes use:
<appSettings file="diff\config\AppSettings.config">
<connectionStrings configSource="diff\config\Connection.config"/>
in the web.config so I can have a generic web.config for both production and development.
However I would have to develop using SSL from now on to keep using this approach.
Comments are closed